Did Amazon Just Jump the Shark on Consumer Privacy?

The sitcom “Happy Days” was pretty much doomed when the Fonz, wearing swim trunks and a leather jacket, stepped into that waterski and jumped a shark. That episode now epitomizes the over-reach that sends television shows on a downhill trajectory.

The Internet of Things (IoT) found a still better foothold in consumer households with Amazon’s recent acquisition of eero, a wifi mesh router company. The move will further blur the line between the consumer’s physical environment and what has become an ever-present, virtual marketplace where the offerings of Amazon are sewn into the fabric of daily life.

The addition of eero to Amazon‘s IoT offerings has the potential to unify, if not complete, the company’s virtual presence in our homes, one that currently includes smart doorbells, tablets, smart speaker/personal assistants, and media streaming devices. It also represents a potential worst-case scenario for consumer privacy.

On the face of it, this isn’t the worst news out there. Facebook’s endless parade of privacy fails takes that honor. But the background here matters. While Internet-enabled devices have become smaller, more powerful and affordable, routers haven’t kept pace. Prone to the same old problems–dead zones, minimal security, and frustrating user interfaces–making routers more reliable and less aggravating represents a fairly unimpeded path to profit in today’s marketplace. If the upgrade can provide a richer data set to the manufacturer, it’s a double win.

Online ecosystems of connected devices are not unique to Amazon. Apple, Google, Facebook, IBM, Microsoft, Sony, and virtually every other major technology manufacturer are building their own constellation of products. In theory, everyone wins. Manufacturers enjoy more robust sales and we get to enjoy the relative ease of use that comes from products that communicate effortlessly.

Privacy Policies Aren’t Enough

The privacy concerns that arise here are hard to ignore. While Amazon hasn’t had any major privacy fails, it has aggregated a staggering amount of information associated with its customers.

eero’s privacy policy also leaves a lot to be desired. It’s easier to read than Amazon’s and is displayed more prominently on its site, but still offers many of the same bland reassurances with very little in the way of permanent, assured customer protection.

Case in point: “We may create Anonymous Data records from Personal Data by using various procedures to remove or obscure information (such as your name, email address, phone number or IP address) that makes the data personally identifiable to you… We reserve the right to use Anonymous Data for other purposes and disclose Anonymous Data to third parties in our sole discretion.”

As we’ve seen time and again, anonymized data counts as a fig leaf as far as privacy and your identity are concerned. If a few social media posts matched with anonymized credit card metadata transactions are enough to identify over 90% of the population, matching incoming and outgoing Internet traffic to its source would certainly render privacy effectively non-existent. Pre-acquisition, the best thing about eero’s privacy policy was arguably that the data wasn’t owned by a big company specializing in stockpiling and monetizing our data–e.g., Amazon, Google, Facebook.

Control of Your Data

Amazon has consistently tried to downplay these concerns. After I reached out to the company for comment, a representative asserted that “Amazon has no plans to change eero’s policy at this time.” In other words, the privacy protections offered by eero will last until Amazon decides to change them, which could be tomorrow if the company’s abrupt reversal on moving to New York is any indication.

Customer control is hard to assert given Amazon’s reach. Even if you don’t have an Echo in your home or shop at Whole Foods, the company accounts for half of all online commerce, and is the largest cloud provider on the web, providing streaming and hosting for Netflix, HBO Go, AirBnB, and others. As an article written by Kashmir Hill showed earlier this year, it’s nearly impossible to fully opt out of Amazon’s services, and at this point it seems somewhat naive to expect that consumer data tracking isn’t occurring, at least in some form, every step of the way.

And There’s That Security Thing

The only thing potentially more troubling than granting Amazon access to a home router is the prospect of who else may be able to access it. Amazon’s IoT devices have already made high profile security gaffes, including the Echo secretly recording conversations, and recent revelations of the company sharing unfettered access of every video created by every Ring camera in the world.

Routers are generally not the most secure devices on earth, and can potentially provide access to any device connected to it. Theoretically, this means a compromised Amazon account, a misconfigured Amazon Echo, a Ring doorbell improperly secured, or a Kindle forgotten at a coffee shop could increase the attackable surface of Joe or Joanne IoT User.

Will Customers Pay to Increase their Attackable Surface?

The short answer: Hopefully not. In the U.S., states and the federal government are increasingly following the European Union’s lead establishing standards for consumer privacy, and we should expect to see major legislation, like that in California, to become law in the next five years. The kinds of (potential) surveillance that Amazon’s ecosystem of products makes possible will almost certainly be illegal ten years from now.

What is Amazon’s position regarding consumer willingness to be surveilled in this way? An Amazon representative told me the following: “eero and Amazon strongly object to the use of the word “surveilled.” That is a wholly inaccurate characterization of these devices and services. eero and Amazon offer devices and services that customers can decide to use or not use – customers are always in control.”

In other words, “Other than that, how was the play, Mrs. Lincoln?”

With continuous revelations of data breaches and compromise, privacy scandals and state-sponsored cyberattacks, the new incursions into consumer privacy seems like a losing gambit. More than ever, consumers are protecting their data, which is making the big-tech privacy grabs of the past few years seem very much like the surveillance economy’s “jump the shark” moment.